Multicore for avionics, certifying COTS to DAL-A, commercial UAVs

Every month the McHale Report will host an online roundtable with experts from the defense and aerospace electronics industry – from major prime contractors to defense component suppliers. Each roundtable will explore topics important to the military and avionics embedded electronics market. This month our roundtable of industry experts discuss safety certification of embedded commercial-off-the-shelf (COTS) hardware and software, multicore in avionics, unmanned aerial vehicle (UAV) safety certification, and the buzz on the floor at the Aviation Electronics Europe show held last month in Munich, Germany.

MCHALE REPORT: Last month the avionics community gathered in Munich, Germany for the annual Aviation Electronics Europe show. What trends in safety certification and avionics technology did you see emerging at the event?

MEILLEUR: First, overall it seems that the market as a whole is growing, especially in commercial aerospace. Second, processor family interests are changing. For instance, ARM - where the Xilinx Ultrascale is getting tons of interest. We are also seeing devices out of NXP that have a strong fit for certain avionics applications.

Third, but not least, the use of multicore processors has shifted from a study phase and into initial development phases. There is a mix of multicore technologies, where RTOS [real-time-operating system] vendors are taking different approaches and relying upon different technologies – which may greatly influence the performance and level of certification challenges for these RTOS users. These technical differences along with processor use and other factors are the reasons why we are seeing a shift in jockeying amongst the RTOS vendors in avionics industry.

HILDERMAN: Several seemingly major unrelated trends are underway but when the larger picture is considered, it’s seen they are related. Trends:

Expanding scope of safety assessments (via soon to be released updated SAE ARP4761A) and tightening of the “Ecosystem” to remove remaining safety gaps

Overall, the above trends simply point to multiple merger-points illustrating how the Avionics Development Ecosystem really is an Ecosystem requiring ever-greater integration.

FRANK: A definite trend is the widespread adoption of multicore processors by safety certifiable hardware and software vendors, with many [operating system] vendors taking different approaches to address CAST-32 guidance on the use of multicore processors for safety certifiable systems.

Additionally, the COTS supplier base is now offering safety certifiable COTS, which will drive down the risks of custom bespoke designs, and with a focus on size, weight, and power (SWaP) optimized hardware, it will continue to shrink the size of these complex systems.

HILDERMAN: Yes – Just ten years ago it was difficult to certify civil avionics software using C++ and today that’s been resolved via DO-332. Similarly, many systems are DAL-A, which requires redundancy to achieve. That redundancy is more likely to have common single-point failure areas when relying solely on unique customized solutions each time. One answer is COTS. From the new multicore DAL RTOSs to fully integrated single-board computers, COTS components are on the increase even for DAL-A.

MEILLEUR: Yes, for software it’s becoming much more commonplace for avionics companies to use COTS RTOSs. At DDC-I, we are finding more and more acceptance for COTS RTOS use in the more sensitive end point control systems (e.g., flight controls, FADECs, etc.). Historically, this was all bare-metal software environments, but we have seen a shift as there is a draw towards RTOSs for the advantages of partitioning and software an certification reuse, better tooling, industry standards, more features, and the ability to reduce program schedules overall. Also multicore is driving avionics suppliers to COTS RTOSs.

The reasoning is simple. First, multicore in safety critical requires the system wide management of processor and resource management. Second, it is very hard for even the largest avionics companies to create a business case that would support the development costs, risks, and lifetime burdens of developing a multicore RTOS environment on their own.

Certifiable COTS hardware is really starting to take off. We see the market need for COTS common compute platforms, and believe the growth area for them is in commercial aircraft and UAVs. However, we find that several of these vendors are still very military focused (with different values on SWaP and packaging) for commercial aerospace, but there is an undeniably strong shift towards certifiable COTS hardware.

FRANK: We are seeing widespread adoption of COTS for safety certifiable and indeed this includes designs up to and including DAL-A. The pace of today’s technology developments cannot afford the costs and risks associated with custom designed safety certifiable modules, so the COTS model fits perfectly. However, COTS for safety certifiable must be truly designed from the start with the same processes and rigor that a bespoke design must undergo, and thus can certainly achieve all DAL levels if designed right from the start.

MCHALE REPORT: How do avionics hardware and software safety certification requirements differ in Europe compared to the U.S.? Asia?

FRANK: There are definite differences between certification authorities such as the Federal Aviation Administration (FAA) and European Aviation Safety Agency (EASA), but there are more similarities than differences. The key is to work closely with all the certification agencies and to understand the requirements applicable to each jurisdiction and design.

MEILLEUR: In the European Union (EU), it is commonplace for military systems to require formal certification - where in the U.S. it is rare for military systems to truly mandate the formal certifications processes. Although from our experience contracts will state their systems must be certifiable if later deemed necessary.

On the commercial side, there are only minor differences between the EU and the U.S. Much of Asia (e.g., China, South Korea, India, etc.) is expanding its certification experience and knowledge at a very high rate. It is interesting to note that as a whole the Asian countries are very progressive is using higher-level languages, test tools, etc.

HILDERMAN: Asia is mostly copying the U.S., but EASA has gradually, for its strongest focus which is civilian by far, adopted a more conservative stance toward DO-178C and DO-254 interpretation, whereas the FAA has become more accommodating (liberal?) in some areas. This trend continues with the FAA examining new “Overarching Conditions” which may in the near future provide U.S. avionics developers various forms of credit for proven experience and histories. Opposite for EASA.

MCHALE REPORT: What technology or standard will have the most impact on the avionics world in the next five to 10 years? Certifying unmanned aircraft for civil airspace? Satellite navigation? Other?

MEILLEUR: UAVs of all sorts as well as personal aircraft with pilot assist systems for flight. [From an embedded technology perspective] critical multicore operation, improved simulation tooling, security influences, more fly by wire (fbw) usage to the microcontroller level, etc., will be [game changers.]

FRANK: All the certification authorities have taken great interest in this market, and will be working hard to ensure the vast majority of commercial UAVs meet the same strict safety standards as the manned aviation industry adheres to today. And with the sheer variety of commercial applications and quantities of units involved, I see the next wave of transportation clearly in the air.

There will still be a market for small hobby drones sold at the local electronics store to the technically savvy enthusiast, but the avionics industry will benefit from the enormous growth of commercial drones, which will fill our skies with everything from pizza delivery drones (imagine the 30-minute guarantee now becomes 15 minutes and the pizza is still hot!) to automated taxis carrying human passengers across our urban skies without the limitations of roadway based traffic congestion.